On Tue, 2006-10-24 at 14:17 -0400, David Nedrow wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Has anyone successfully switched from targeted to strict policies
under either FC5 or FC6?
Under FC6, I switched policies and relabeled on a boot. I also booted
into permissive mode. From there, I did an audit2allow to generate a
list of items I would need to add to my running policy.
After creating the module and loading it, all of the AVC messages
disappear even after a reboot. So, to my way of thinking, everything
should be working. However, if I enable enforcement root can log in
but not do anything beyond that. Only a reboot with enforcing set to
permissive at the grub prompt gets roots login working again. Even
after that, there are no new AVC messages.
Does anyone have an idea as to what I'm missing?
Prior to FC5, I had no problems with the strict policy.
A few observations:
- root is not necessarily all powerful under SELinux; it depends on what
role/domain he has. What does id show? root often has to first newrole
-r sysadm_r in order to assume administrative privileges under strict
policy. To enable other users to assume admin privileges, you will need
to map them to staff_u using semanage so that they can newrole to
sysadm_r and then run su or sudo as appropriate.
- Some AVC denials may not be audited due to dontaudit rules in the
policy. These rules are to avoid flooding the audit logs with noise
from extraneous access attempts by libraries and applications that are
not truly required for operation. In the past (before FC5), one could
re-enable all such auditing by rebuilding the policy sources with 'make
clean enableaudit load'. With the introduction of modular policy in
FC5, you no longer have the full policy sources sitting around (unless
you grab the .src.rpm), so the policy package instead prebuilds an
enableaudit.pp file under /usr/share/selinux/(targeted|strict) that you
can install via semodule -b to re-enable auditing at least in the base
module. But I don't believe this addresses non-base modules, which is
an issue in a highly modularized policy like strict.
- FC5 strict policy was broken for other reasons (broken
optionals-in-base support in that libsepol and checkpolicy). That may
get sorted if Dan updates FC5 policy and rebuilds it with the latest
libsepol and checkpolicy.
National Security Agency